git-ai-search
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is designed to restore AI conversation context from git history, which is untrusted external data.
- Ingestion points: Data enters the agent context via
git-ai searchandgit-ai continue, which retrieve transcripts and metadata from git commits and notes. - Boundary markers: There are no boundary markers or delimiters used to encapsulate restored context, making it indistinguishable from the agent's primary instructions.
- Capability inventory: The
git-ai continue --launchcommand spawns a new agent session with the restored context, allowing malicious instructions embedded in a commit to take control of the agent. - Sanitization: No sanitization or validation of the restored conversation history is performed before it is re-injected into the prompt stream.
- [Command Execution] (MEDIUM): The skill relies on executing shell commands via the
Bash(git-ai:*)tool. While it restricts tools to thegit-aiprefix, the ability to launch agents (--launch) or copy data to the clipboard (--clipboard) from untrusted git metadata poses a significant risk of side-effects. - [Automated Scan Alert] (HIGH): An external scanner (URLite) reported a blacklist match for 'main.rs'. While likely a false positive triggered by a filename in the examples, in an 'assume-malicious' posture, this suggests a potential signature match for known attack scripts or malicious patterns commonly associated with that filename.
Recommendations
- AI detected serious security threats
- Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata